from the throw-away-your-phone dept

As you may have heard, if you have an iOS device (iPhone, iPad, even iPod Touch) you should be updating your devices, like a few hours ago. Seriously, if you haven't done it yet, stop reading and go update. The story behind this update is quite incredible, and is detailed in a great article over at Motherboard by Lorenzo Franceschi-Bicchierai. Basically after someone (most likely a gov't) targeted Ahmed Mansoor, a human rights activist in the United Arab Emirates with a slightly questionable text (urging him to click on a link to get info about prison torture), a team of folks from Citizen Lab (who have exposed lots of questionable malware) and Lookout (anti-malware company) got to work on the text and figured out what it did. And, basically the short version is that the single click exploits three separate 0days vulnerabilities to effectively take over your phone in secret. All of it. It secretly jailbreaks the phone without you knowing it and then accesses basically everything.

“It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls. It also basically backdoors every communications mechanism you have on the phone,” Murray explained. “It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram—you name it.”

So that's great.

The researches believe they've tracked back the exploit to a secretive hacking company called NSO Group. The full Citizen Lab writeup on all of this is quite fascinating as well. They estimate that this exploit from NSO probably costs in the range of a million dollars on the market, though obviously it's closed now. That doesn't mean that NSO or others don't have other exploits up their sleeves.

The report also notes that this kind of exploit is probably just used by nation states right now, but there's nothing to say that it couldn't move down the stack before too long, letting all sorts of mischievous characters look to basically completely pwn your phone. Pretty scary stuff, and yet another reminder of why it's so dangerous that folks like the NSA are hoarding 0days, rather than revealing them, and that the FBI is trying to force tech companies to break encryption and other tools that are necessary to block these kinds of attacks.

from the federal-shield-law? dept

We were just noting how the Computer Fraud and Abuse Act is regularly abused to bring "hacking" charges where none are really warranted. And here we have yet another example. Alex Howard points out that a Minnesota Public Radio reporter, Sasha Aslanian, is potentially facing "hacking" charges from a Texas company called Lookout Services. Lookout creates employment/compliance software for large organizations, and Aslanian was reporting on a supposed data vulnerability in the software used to verify employment eligibility that could potentially reveal private info. Aslanian's report noted that she was able to see info from the state of Minnesota, and the state was now directing agencies to stop using Lookout. The details are not entirely clear, but from what's written at the MinnPost link above, it sounds like there were some vulnerabilities, poor security, and a bungled demonstration which revealed a vulnerability -- all of which Lookout admits -- and from those vulnerabilities (which Lookout claims it closed), someone was able to adjust the URL to find private data.

So, basically, the company admits to a series of vulnerabilities, which exposed info that allowed the reporter to eventually see some private data... but still claims that the reporter was "hacking" and is now looking to sue under the same Computer Fraud and Abuse Act, which could lead to 5 years in prison. Because our federal government still hasn't passed a journalism shield law, the reporter is potentially liable, though, as the MinnPost reporter notes, Lookout seems particularly shortsighted in bringing this lawsuit in the first place. All it does is call more attention to its own vulnerabilities and failings. And the CEO of Lookout basically responds that she doesn't care:

While the legality and severity of Lookout's security breach remains to be adjudicated, there's no doubt Aslanian was trying to serve the public interest -- something a prosecutor might consider. As Dalglish says, "The state of Minnesota should be grateful MPR exposed what's going on. It seemed like a pretty good story."

I asked Morley if she realized, by filing a high-profile suit, how hapless her timeline made Lookout look. After all, there's the webinar screwup, letting clients pick lame IDs/passwords and caching security credentials in such a way that rendered them useless.

"Yup," she admitted. "It was a perfect storm that came together. Our communication with the state really broke down -- in our contract, we had 60 days to fix any problem. But there was still an unauthorized intrusion, and that was wrong."

So, even though this will publicize not just Lookout's failings, but also how it responds to people who notice and report on vulnerabilities, the company still thinks it needs to bring a lawsuit because exposing those vulnerabilities "was wrong"? I would argue that the company's reaction to this gives many more reasons never to do business with Lookout -- more than any discovered vulnerabilities. Vulnerabilities in software happen -- and it's more telling how a company reacts when they're exposed. Suing those who expose them isn't what you want to see. Update: Lots of good points in the comments, pointing out (of course) that Lookout cannot bring criminal charges against the woman, only prosecutors could do that, and it seems unlikely they would do so in this case.